It’s no secret that healthcare is vulnerable to cybersecurity threats and patient privacy and safety are at risk. Good news! HHS recently announced a plan to enhance cybersecurity in the healthcare and public health sectors. Through various initiatives, including 405(d) and other HHS efforts, plans are starting to come together like pieces of a puzzle to help practices stay ahead in the ever-evolving landscape of cybersecurity. It’s time to get informed and take action to protect your practice, business, and patients.
In this episode:
New HHS Cyber Plan Announced – Ep 438
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
April 9-12, 2024 HIPAA PriSec Boot Camp!!!!
Will be held in Atlanta. Exact location TBD
HIPAA Say What!?!
[08:15]HHS’ Office for Civil Rights Settles First Ever Phishing Cyber-Attack Investigation
Agreement included a $480,000 payment plus a 2 year corrective action plan.
Lafourche Medical Group, LLC Resolution Agreement and Corrective Action Plan | HHS.gov
Lafourche Medical Group filed a breach report with HHS on May 28, 2021, reporting that a phishing attack led to a hacker gaining access to an email account on March 30, 2021. That account had the PHI of approximately 34,862 individuals.
They were investigated automatically after those kinds of reports. What OCR found was:
- Prior to the 2021 reported breach, Lafourche Medical Group failed to conduct a risk analysis.
- They had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks.
“LMG shall create, document and implement security measures sufficient to reduce risks and vulnerabilities to ePHI, identified in its December 2022 Security Risk Assessment”
Also for those who say you don’t need to do an annual risk analysis there was this part:
“LMG shall annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by LMG, including any affiliates that are owned, controlled, or managed by LMG, and document the security measures LMG implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level.”
“LMG may submit any risk analysis performed in 2023 or that is currently underway for consideration by HHS for compliance with this provision, along with the corresponding risk management plan.”
“Such policies and procedures shall include a process(es) for the regular review of all records of information system activity collected by LMG and processes for evaluating when the collection of new or different records needs to be included in the review. The policies and procedures should also identify what systems are being included in the review and a 14-day frequency to conduct such reviews.”
A long list of information is included at the end of the press release which is there to help.
AI-Augmented Phishing and the Threat to the Health Sector
New HHS Cyber Plan Announced
[30:15]The new concept paper explains the HHS cybersecurity strategy for the health care sector.
Healthcare Sector Cybersecurity Strategy of the U.S. Department of Health and Human Services
The HHS concept paper outlines the following actions:
- Publish voluntary Health care and Public Health sector Cybersecurity Performance Goals (HPH CPGs). HHS will release HPH CPGs to help health care institutions plan and prioritize implementation of high-impact cybersecurity practices.
- Provide resources to incentivize and implement cybersecurity practices. HHS will work with Congress to obtain new authority and funding to administer financial support and incentives for domestic hospitals to implement high-impact cybersecurity practices.
- Implement an HHS-wide strategy to support greater enforcement and accountability. HHS will propose new enforceable cybersecurity standards, informed by the HPH CPGs, that would be incorporated into existing programs, including Medicare and Medicaid and the HIPAA Security Rule.
- The HHS Office for Civil Rights will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in spring of 2024, to include new cybersecurity requirements.
- [46:02] Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity. HHS will mature the Administration for Strategic Preparedness and Response’s (ASPR) coordination role as a “one-stop shop” for health care cybersecurity which will improve coordination within HHS and the Federal Government, deepen HHS and the Federal government’s partnership with industry, improve access and uptake of government support and services, and increase HHS’s incident response capabilities.
Buckle up folks these things are happening now. Soon they will be rolling out faster. If you are already behind it will take more resources to catch up.
Cyber incidents have risen at an alarming rate across the healthcare sector. It is vital that we prepare now to combat these threats in order to protect our practices, businesses, and most importantly, patients. HHS’ cybersecurity plan is to package current cybersecurity initiatives and resources, developed by 405(d) and other HHS groups, with new ones to help organizations plan and prioritize implementation of cybersecurity practices. If you haven’t already implemented cybersecurity best practices and are following a framework like the CPGs or HICP or NIST or something, you are already behind. Get on board now or it’ll be a rough ride for you in 2024.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
